Configuring Captive Portal with a PEFNG License
You must purchase and install the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license on the Mobility Conductor to use identity-based security features. There are two user roles that are important for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:
- Default user role, which you specify in the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, is the role granted to clients upon captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication. This can be the predefined system role.
- Initial user role, which you specify in the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, directs clients who associate to the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. to captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. whenever the user initiates a Web browser connection. This can be the predefined system role.
The captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile specifies the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page and other configurable parameters. The initial user role configuration must include the applicable captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based authentication, if enabled on the Mobility Conductor, takes precedence over captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.
Following are the basic tasks for configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. using role-based access provided by the Policy Enforcement Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. software module:
- Install the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license.
PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license on the primary Mobility Conductor.
For more information, see Aruba Mobility Conductor Licensing Guide.
- Configure the user role for a default user.
Create and configure user roles and policies for guest or registered captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users. For more information, see Configuring Policies and Roles .
- Create a server group.
If you are configuring captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. for registered users, configure the server(s) and create the server group. For more information, see Authentication Servers
If you are using the internal database of the managed device for user authentication, use the predefined “Internal” server group. The "internal" server is the local database on the Mobility Conductor. You need to configure entries in the internal database, as described in Authentication Servers.
- Create the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile.
Create and configure an instance of the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile. Specify the default user role for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users. For more information, see Configuring Captive Portal Authentication Profiles.
- Configure the initial user role.
Create and configure the initial user role for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. You also need to specify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance in the initial user role configuration. For example, if you are using the predefined system role for the initial role, you need to edit the role to specify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance. For more information, see Modifying the Initial User Role.
- Create the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. Profile.
Create and configure an instance of the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile. Specify the initial user role. For more information, see Configuring the AAA Profile.
- Create the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. Profile. In this example, the profile name is .
Create and configure an instance of the virtual AP profile that you apply to an AP group or AP name. Specify the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile you just created.
- Create the Virtual AP Profile. In this example, the profile name is
Create and configure an instance of the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile for the virtual AP.
.
The following sections present the WebUI and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. procedures for configuring the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, initial user role, the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, and the virtual AP profile. Other chapters within this document detail the configuration of the user roles and policies, authentication servers, and server groups.
The following procedure describes how to configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with a PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license:
- Login to the Mobility Conductor.
- In the
- In the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Authentication profile and enter a profile name in the field (for example, . window, click to create a new
- Select the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users. (for example, ) for
- Enable Captive Portal Authentication Profile Parameters table). or , as well as other parameters (refer to
- Click .
node hierarchy, navigate to the tab. Select the profile. - To specify the authentication servers, select captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile you just configured.
- Select the Server group (for example, ) from the drop-down list.
- Click .
under the - Select the
- Expand and click in the window to add a new profile. Enter a profile name in the field (for example, ).
- Set the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile. to a role that you will configure with the
- Click .
tab. - Navigate to the
- To edit the predefined logon role, select the role and click in the policies page that opens and select .
- To configure a new role, first configure policy rules in the tab, then select the tab to add a new user role and assign policies.
- Select the profile from the drop-down list in tab under the selected role.
- Click .
tab. Select a role and click to add a new rule. - Navigate to the page to configure the virtual AP profile.
- Select the . Click for the applicable AP group name or AP name.
- Under , select , then select Virtual AP.
- Select
- In the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile you previously configured. A pop-up window displays the configured AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile parameters. Click . entry for the new virtual AP profile, select the
- From the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. drop-down list, select NEW. A pop-up window allows you to configure the
- Enter the name for the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile (for example, ).
- Enter the network name for the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile (for example, ).
- Click .
from the drop-down list to create a new virtual AP profile. Enter the name for the virtual AP profile (for example, ), then click . - Click on the new virtual AP name in the
- Make sure is selected.
- For VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., select the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to which users are assigned (for example, 900).
- Click Submit.
or in to display configuration parameters. - Click .
- In the window, select the checkbox and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license:
(host) [md] (config) #aaa authentication captive-portal c-portal
default-role employee
server-group cp-srv
(host) [md] (config) #user-role logon
(host) [md] (config-submode)#access-list session c-portal
captive-portal c-portal
(host) [md] (config) #aaa profile aaa_c-portal
initial-role logon
(host) [md] (config) #wlan ssid-profile ssid_c-portal
essid c-portal-ap
vlan 900
(host) [md] (config) #wlan virtual-ap vp_c-portal
aaa-profile aaa_c-portal
ssid-profile ssid_c-portal
Configuring Captive Portal in the Base Operating System